<!DOCTYPE html>
<html lang="en-US">
<head>
<meta charset="UTF-8">
<meta http-equiv="x-ua-compatible" content="ie=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="profile" href="http://gmpg.org/xfn/11">
<link rel="pingback" href="https://news.sophos.com/xmlrpc.php">
	<link rel="alternate" hreflang="es-419" href="https://news.sophos.com/es-419/2020/12/16/systembc" />
	<link rel="alternate" hreflang="nl-nl" href="https://news.sophos.com/nl-nl/2020/12/16/systembc" />
	<link rel="alternate" hreflang="pt-br" href="https://news.sophos.com/pt-br/2020/12/16/systembc" />
	<link rel="alternate" hreflang="de-de" href="https://news.sophos.com/de-de/2020/12/16/systembc" />
	<link rel="alternate" hreflang="en-us" href="https://news.sophos.com/en-us/2020/12/16/systembc" />
	<link rel="alternate" hreflang="fr-fr" href="https://news.sophos.com/fr-fr/2020/12/16/systembc" />
	<link rel="alternate" hreflang="es-es" href="https://news.sophos.com/es-es/2020/12/16/systembc" />
	<link rel="alternate" hreflang="it-it" href="https://news.sophos.com/it-it/2020/12/16/systembc" />
	<link rel="alternate" hreflang="ja-jp" href="https://news.sophos.com/ja-jp/2020/12/16/systembc" />
	<link rel="alternate" hreflang="zh-tw" href="https://news.sophos.com/zh-tw/2020/12/16/systembc" />
<!-- Google Tag Manager -->
<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
'https://www.googletagmanager.com/gtm.js?id='+i+dl+ '&gtm_auth=d5XceCG5H_eblswmMfURjQ&gtm_preview=env-2&gtm_cookies_win=x';f.parentNode.insertBefore(j,f);
})(window,document,'script','dataLayer','GTM-5L6H3LN');</script>
<!-- End Google Tag Manager -->
<title>Ransomware operators use SystemBC RAT as off-the-shelf Tor backdoor &#8211; Sophos News</title>
<meta name='robots' content='max-image-preview:large' />
<!-- Jetpack Site Verification Tags -->
<meta name="google-site-verification" content="8r1qg681OjOolfxmHEY1IYupmTBdyKXc-OPfpgeQHFk" />
<link rel='dns-prefetch' href='//cdn.jsdelivr.net' />
<link rel='dns-prefetch' href='//s.w.org' />
<link rel='dns-prefetch' href='//v0.wordpress.com' />
<link rel="alternate" type="application/rss+xml" title="Sophos News &raquo; Feed" href="https://news.sophos.com/feed/" />
<link rel="alternate" type="application/rss+xml" title="Sophos News &raquo; Comments Feed" href="https://news.sophos.com/comments/feed/" />
<link rel="alternate" type="application/rss+xml" title="Sophos News &raquo; Ransomware operators use SystemBC RAT as off-the-shelf Tor backdoor Comments Feed" href="https://news.sophos.com/en-us/2020/12/16/systembc/feed/" />
		<script type="text/javascript">
			window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/13.1.0\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/13.1.0\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/news.sophos.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=5.8.2"}};
			!function(e,a,t){var n,r,o,i=a.createElement("canvas"),p=i.getContext&&i.getContext("2d");function s(e,t){var a=String.fromCharCode;p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,e),0,0);e=i.toDataURL();return p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,t),0,0),e===i.toDataURL()}function c(e){var t=a.createElement("script");t.src=e,t.defer=t.type="text/javascript",a.getElementsByTagName("head")[0].appendChild(t)}for(o=Array("flag","emoji"),t.supports={everything:!0,everythingExceptFlag:!0},r=0;r<o.length;r++)t.supports[o[r]]=function(e){if(!p||!p.fillText)return!1;switch(p.textBaseline="top",p.font="600 32px Arial",e){case"flag":return s([127987,65039,8205,9895,65039],[127987,65039,8203,9895,65039])?!1:!s([55356,56826,55356,56819],[55356,56826,8203,55356,56819])&&!s([55356,57332,56128,56423,56128,56418,56128,56421,56128,56430,56128,56423,56128,56447],[55356,57332,8203,56128,56423,8203,56128,56418,8203,56128,56421,8203,56128,56430,8203,56128,56423,8203,56128,56447]);case"emoji":return!s([10084,65039,8205,55357,56613],[10084,65039,8203,55357,56613])}return!1}(o[r]),t.supports.everything=t.supports.everything&&t.supports[o[r]],"flag"!==o[r]&&(t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&t.supports[o[r]]);t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&!t.supports.flag,t.DOMReady=!1,t.readyCallback=function(){t.DOMReady=!0},t.supports.everything||(n=function(){t.readyCallback()},a.addEventListener?(a.addEventListener("DOMContentLoaded",n,!1),e.addEventListener("load",n,!1)):(e.attachEvent("onload",n),a.attachEvent("onreadystatechange",function(){"complete"===a.readyState&&t.readyCallback()})),(n=t.source||{}).concatemoji?c(n.concatemoji):n.wpemoji&&n.twemoji&&(c(n.twemoji),c(n.wpemoji)))}(window,document,window._wpemojiSettings);
		</script>
		<style type="text/css">
img.wp-smiley,
img.emoji {
	display: inline !important;
	border: none !important;
	box-shadow: none !important;
	height: 1em !important;
	width: 1em !important;
	margin: 0 .07em !important;
	vertical-align: -0.1em !important;
	background: none !important;
	padding: 0 !important;
}
</style>
	<link rel='stylesheet' id='all-css-0' href='https://news.sophos.com/_static/??-eJyNj80OgjAQhF/IshQJ4sH4LKVsoLr9CduG9O0t6gHixdvOznzZHViDME5TGpFBM8NoOMJAXj8FmWFRSwaOmbCyxlUlcII98WCwOBqFhBZdPIhAKuMiCCel83948fb6AGnv4paJc/EY2IfZs8OVRVPLy+fJMjbyh7BJBEqTceUgxqBKNVlX7bvud7Exd3uT3fna9X0j2xefhmXD' type='text/css' media='all' />
<style id='wp-block-library-inline-css'>
.has-text-align-justify{text-align:justify;}
</style>
<script type="text/javascript" src="https://news.sophos.com/_static/??-eJzTLy/QzcxLzilNSS3WzwKiwtLUokoopZebmaeXVayjj0+Rbm5melFiSSpUsX2uraGZsaWZhYWRoUkWAK+4Iig=" ></script><link rel="https://api.w.org/" href="https://news.sophos.com/wp-json/" /><link rel="alternate" type="application/json" href="https://news.sophos.com/wp-json/wp/v2/posts/71298" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://news.sophos.com/xmlrpc.php?rsd" />
<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="https://news.sophos.com/wp-includes/wlwmanifest.xml" /> 
<meta name="generator" content="WordPress 5.8.2" />
<link rel="canonical" href="https://news.sophos.com/en-us/2020/12/16/systembc/" />
<link rel='shortlink' href='https://news.sophos.com/?p=71298' />
<link rel="alternate" type="application/json+oembed" href="https://news.sophos.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fnews.sophos.com%2Fen-us%2F2020%2F12%2F16%2Fsystembc%2F" />
<link rel="alternate" type="text/xml+oembed" href="https://news.sophos.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fnews.sophos.com%2Fen-us%2F2020%2F12%2F16%2Fsystembc%2F&#038;format=xml" />
<style type='text/css'>img#wpstats{display:none}</style>
		<link rel="amphtml" href="https://news.sophos.com/en-us/2020/12/16/systembc/amp/">
<!-- Jetpack Open Graph Tags -->
<meta property="og:type" content="article" />
<meta property="og:title" content="Ransomware operators use SystemBC RAT as off-the-shelf Tor backdoor" />
<meta property="og:url" content="https://news.sophos.com/en-us/2020/12/16/systembc/" />
<meta property="og:description" content="A commodity malware backdoor, SystemBC has evolved into a Tor proxy and remote control tool favored by actors behind the latest high-profile ransomware campaigns." />
<meta property="article:published_time" content="2020-12-16T13:30:05+00:00" />
<meta property="article:modified_time" content="2020-12-16T16:29:24+00:00" />
<meta property="og:site_name" content="Sophos News" />
<meta property="og:image" content="https://news.sophos.com/wp-content/uploads/2020/12/tv-remote-e1607983796505.jpg?w=640" />
<meta property="og:image:secure_url" content="https://news.sophos.com/wp-content/uploads/2020/12/tv-remote-e1607983796505.jpg?w=640" />
<meta property="og:image:width" content="640" />
<meta property="og:image:height" content="332" />
<meta property="og:image:alt" content="" />
<meta property="og:locale" content="en_US" />
<meta name="twitter:text:title" content="Ransomware operators use SystemBC RAT as off-the-shelf Tor backdoor" />
<meta name="twitter:image" content="https://news.sophos.com/wp-content/uploads/2020/12/tv-remote-e1607983796505.jpg?w=640" />
<meta name="twitter:card" content="summary_large_image" />
<meta property="fb:admins" content="28552295016" />

<!-- End Jetpack Open Graph Tags -->
<link rel="icon" href="https://news.sophos.com/wp-content/uploads/2020/01/cropped-sophos.png?w=32" sizes="32x32" />
<link rel="icon" href="https://news.sophos.com/wp-content/uploads/2020/01/cropped-sophos.png?w=192" sizes="192x192" />
<link rel="apple-touch-icon" href="https://news.sophos.com/wp-content/uploads/2020/01/cropped-sophos.png?w=180" />
<meta name="msapplication-TileImage" content="https://news.sophos.com/wp-content/uploads/2020/01/cropped-sophos.png?w=270" />
</head>

<body class="post-template-default single single-post postid-71298 single-format-standard group-blog">
<!-- Google Tag Manager (noscript) -->
<noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-5L6H3LN&gtm_auth=d5XceCG5H_eblswmMfURjQ&gtm_preview=env-2&gtm_cookies_win=x"
height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
<!-- End Google Tag Manager (noscript) -->
<div id="page" class="hfeed site">
	<a class="sr-only" href="#content">Skip to content</a>

	
<header class="bg-blue-600" x-data="{ mobileMenu: false, searchField: false }">
	<div class="container">
		<div class="flex items-center justify-between h-16">

			<!-- Logo -->
			<div class="flex-shrink-0">
				<a class="site-logo" href="https://news.sophos.com/en-us/" rel="home">
				<svg width="172" height="17" xmlns="http://www.w3.org/2000/svg">
					<g fill="#FFF" fill-rule="evenodd">
						<path d="M113.024 5.298V16.74h-2.595V.259h2.265l7.997 11.49V.26h2.619v16.482h-2.289l-7.997-11.443M126.064.259h10.78v2.307H128.8v4.521h7.549v2.214h-7.55v5.133h8.376v2.307h-11.111V.259M138.478.259h2.855l2.694 12.29L147.29.26h2.783l3.61 12.314L156.005.26h2.783l-3.62 16.482h-2.76l-3.751-12.126-3.426 12.126h-2.784L138.478.259M168.933 4.968v-.283c0-1.318-.778-2.425-3.492-2.425-2.43 0-3.279 1.013-3.279 2.284 0 1.201.708 1.743 2.218 2.073l3.491.776c2.123.448 4.129 1.602 4.129 4.333 0 3.014-1.675 5.274-6.204 5.274-5.214 0-6.559-2.26-6.559-4.52v-.307h2.737v.26c0 1.2.755 2.284 3.774 2.284 2.5 0 3.421-1.084 3.421-2.638 0-1.224-.731-1.907-2.289-2.237l-3.49-.777c-2.407-.517-3.917-1.742-3.917-4.309 0-2.566 1.77-4.756 6.016-4.756 4.553 0 6.18 2.26 6.18 4.639v.33h-2.736M85.303 16.718h8.88c2.492 0 3.549-.15 4.379-.677 1.308-.803 2.139-2.378 2.139-4.162 0-1.457-.504-2.868-1.258-3.622-.981-1.006-2.316-1.382-4.783-1.382h-2.693c-1.208 0-2.097-.05-2.6-.276-.605-.277-.956-.81-.956-1.562 0-.88.427-1.455 1.132-1.632.529-.124 1.14-.124 2.726-.15h7.949V.265h-8.754c-1.963 0-2.843.075-3.598.353-1.737.602-2.921 2.383-2.921 4.518 0 1.458.58 2.745 1.587 3.624.881.753 2.189 1.105 4.202 1.105h3.584c.805 0 1.46.1 1.813.3.678.327 1.08.934 1.08 1.714 0 .652-.301 1.122-.83 1.447-.426.278-1.158.403-2.49.403h-8.588v2.99zm-84.945 0h8.88c2.492 0 3.549-.15 4.38-.677 1.307-.803 2.138-2.378 2.138-4.162 0-1.457-.504-2.868-1.258-3.622-.982-1.006-2.316-1.382-4.783-1.382H7.023c-1.209 0-2.098-.05-2.6-.276-.605-.277-.957-.81-.957-1.562 0-.88.427-1.455 1.132-1.632.53-.124 1.141-.124 2.726-.15h7.95V.265H6.52c-1.964 0-2.844.075-3.6.353C1.185 1.22 0 3 0 5.136 0 6.594.582 7.881 1.587 8.76c.881.753 2.19 1.105 4.203 1.105h3.582c.807 0 1.46.1 1.814.3.678.327 1.08.934 1.08 1.714 0 .652-.3 1.122-.83 1.447-.426.278-1.157.403-2.49.403H.358v2.99zM71.99 4.596c-.52.813-.765 2.118-.765 3.87 0 3.845 1.331 5.595 4.294 5.595 2.915 0 4.248-1.75 4.248-5.546 0-3.847-1.308-5.571-4.248-5.571-1.604 0-2.864.592-3.53 1.652zm10.05-1.897c1.013 1.33 1.58 3.498 1.58 6.039 0 2.882-.914 5.249-2.544 6.555-1.233.986-3.11 1.528-5.335 1.528-3.16 0-5.654-1.037-6.937-2.884-.964-1.355-1.435-3.155-1.435-5.35 0-3.152.866-5.544 2.495-6.826C71.149.726 73.175.158 75.497.158c2.938 0 5.284.913 6.543 2.54zM65.36.279h-3.507v6.73h-6.345V.278h-3.507v16.439h3.507V9.94h6.345v6.778h3.506V.278zM43.533 8.042c.938 0 1.48-.123 1.852-.469.442-.37.715-1.158.715-2.07 0-1.084-.443-1.872-1.208-2.144-.272-.1-.717-.149-1.286-.149h-4.839v4.832h4.766zm-4.766 8.674h-3.507V.278h8.223c2.889 0 3.902.295 4.988 1.504.964 1.036 1.481 2.39 1.481 3.845 0 1.725-.69 3.327-1.826 4.289-.962.813-1.854 1.058-3.728 1.058h-5.63v5.743zM21.665 4.596c-.519.813-.764 2.118-.764 3.87 0 3.845 1.333 5.595 4.297 5.595 2.913 0 4.247-1.75 4.247-5.546 0-3.847-1.308-5.571-4.247-5.571-1.606 0-2.866.592-3.533 1.652zm10.052-1.897c1.014 1.33 1.581 3.498 1.581 6.039 0 2.882-.914 5.249-2.545 6.555-1.233.986-3.11 1.528-5.333 1.528-3.162 0-5.656-1.037-6.94-2.884-.964-1.355-1.432-3.155-1.432-5.35 0-3.152.865-5.544 2.496-6.826C20.825.726 22.85.158 25.173.158c2.938 0 5.286.913 6.544 2.54z"/>
					</g>
				</svg>
				</a>
			</div>

			<!-- Search Field -->
			<div class="lg:flex justify-end flex-grow hidden" x-show="searchField" x-cloak>
				<div class="relative w-1/2 rounded-md shadow-sm">
					<form role="search" method="get" action="https://news.sophos.com/en-us/">
						<input
							type="text"
							class="block w-full text-lg text-white placeholder-gray-100 bg-blue-800 border-0 rounded-md font-sansMedium font-medium"
							placeholder="Type to Search News"
							x-ref="searchInput"
							name="s"
						/>
						<div class="absolute inset-y-0 right-0 flex items-center px-3">
							<button
								class="hover:opacity-100 opacity-60 p-1 text-xs text-white uppercase rounded-full cursor-pointer"
								type="submit"
							>
								Search							</button>
						</div>
					</form>
				</div>
			</div>

			<!-- Main Nav -->
			<div class="lg:flex items-center flex-grow hidden" x-show="!searchField" x-cloak>
				<div class="flex ml-auto">
				<ul id="menu-en-us-primary" class="primary-menu"><li id="menu-item-77773" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-77773"><a href="https://news.sophos.com/en-us/category/products-services/">Products &amp; Services<div class="menu-item-description"></div></a></li>
<li id="menu-item-77772" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-77772"><a href="https://news.sophos.com/en-us/category/security-operations/">Security Operations<div class="menu-item-description"></div></a></li>
<li id="menu-item-77774" class="menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor menu-item-77774"><a href="https://news.sophos.com/en-us/category/threat-research/">Threat Research<div class="menu-item-description"></div></a></li>
<li id="menu-item-77775" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-77775"><a href="https://ai.sophos.com">AI Research<div class="menu-item-description"></div></a></li>
<li id="menu-item-77776" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-77776"><a href="https://nakedsecurity.sophos.com">Security News &#038; Tips<div class="menu-item-description"></div></a></li>
</ul>				</div>
			</div>

			<!-- Search button -->
			<div class="lg:block hidden ml-4">
				<div class="flex items-center">
					<button
					class="border-2 border-transparent hover:border-white inline-flex items-center justify-center p-2 text-white rounded-md focus:outline-none transition-colors"
					@click.prevent="searchField = !searchField; $nextTick(() => { setTimeout(() => { $refs.searchInput.focus(); }, 150);});"
					>
						<span class="sr-only">Search</span>
						<!-- Heroicon name: outline/bell -->
						<svg
							class="w-5 h-5"
							xmlns="http://www.w3.org/2000/svg"
							fill="none"
							viewBox="0 0 24 24"
							stroke="currentColor"
							:class="{ 'block': !searchField, 'hidden': searchField }"
						>
							<path
							stroke-linecap="round"
							stroke-linejoin="round"
							stroke-width="3"
							d="M21 21l-6-6m2-5a7 7 0 11-14 0 7 7 0 0114 0z"
							/>
						</svg>
						<svg
							class="hidden w-5 h-5"
							xmlns="http://www.w3.org/2000/svg"
							fill="none"
							viewBox="0 0 24 24"
							stroke="currentColor"
							aria-hidden="true"
							:class="{ 'block': searchField, 'hidden': !searchField }"
						>
							<path
							stroke-linecap="round"
							stroke-linejoin="round"
							stroke-width="3"
							d="M6 18L18 6M6 6l12 12"
							/>
						</svg>
					</button>
				</div>
			</div>

			<!-- Mobile menu button -->
			<div class="lg:hidden flex -mr-2">
				<button
					type="button"
					class="hover:text-white hover:bg-blue-800 focus:outline-none hover:ring-2 focus:ring-offset-2 focus:ring-offset-gray-300 focus:ring-white inline-flex items-center justify-center p-2 text-white rounded-md"
					aria-controls="mobile-menu"
					aria-expanded="false"
					@click="mobileMenu = !mobileMenu"
				>
					<span class="sr-only">Open main menu</span>
					<!--
						Heroicon name: outline/menu

						Menu open: "hidden", Menu closed: "block"
					-->
					<svg
					class="block w-6 h-6"
					xmlns="http://www.w3.org/2000/svg"
					fill="none"
					viewBox="0 0 24 24"
					stroke="currentColor"
					:class="{ 'block': !mobileMenu, 'hidden': mobileMenu }"
					>
					<path
						stroke-linecap="round"
						stroke-linejoin="round"
						stroke-width="3"
						d="M4 6h16M4 12h16m-7 6h7"
					/>
					</svg>
					<!--
						Heroicon name: outline/x

						Menu open: "block", Menu closed: "hidden"
					-->
					<svg
					class="hidden w-6 h-6"
					xmlns="http://www.w3.org/2000/svg"
					fill="none"
					viewBox="0 0 24 24"
					stroke="currentColor"
					aria-hidden="true"
					:class="{ 'block': mobileMenu, 'hidden': !mobileMenu }"
					>
					<path
						stroke-linecap="round"
						stroke-linejoin="round"
						stroke-width="3"
						d="M6 18L18 6M6 6l12 12"
					/>
					</svg>
				</button>
			</div>
		</div>
	</div>

	<!-- Mobile menu, show/hide based on menu state. -->
	<div
	class="lg:hidden container"
	x-show="mobileMenu"
	x-cloak
	x-transition:enter="transition-all ease-out duration-100"
	x-transition:enter-start="transform opacity-0 scale-95"
	x-transition:enter-end="transform opacity-100 scale-100"
	x-transition:leave="transition ease-in duration-75"
	x-transition:leave-start="transform opacity-100 scale-100"
	x-transition:leave-end="transform opacity-0 scale-95"
	>
		<div class="pt-2 pb-8 space-y-2">
			<div class="relative rounded-md shadow-sm">
				<form role="search" method="get" action="https://news.sophos.com/en-us/">
					<input
						type="text"
						class="focus:ring-blue-600 focus:border-blue-600 sm:text-sm block w-full placeholder-gray-600 border-gray-300 rounded-md"
						placeholder="Search News"
						name="s"
					/>
					<div
						class="absolute inset-y-0 right-0 flex items-center px-3 pointer-events-none"
					>
						<button class="p-1 text-gray-500 rounded-full" type="submit">
							<span class="sr-only">Search</span>
							<!-- Heroicon name: outline/bell -->
							<svg
								class="w-4 h-4"
								xmlns="http://www.w3.org/2000/svg"
								fill="none"
								viewBox="0 0 24 24"
								stroke="currentColor"
							>
								<path
									stroke-linecap="round"
									stroke-linejoin="round"
									stroke-width="3"
									d="M21 21l-6-6m2-5a7 7 0 11-14 0 7 7 0 0114 0z"
								/>
							</svg>
						</button>
					</div>
				</form>
			</div>

			<ul id="menu-en-us-primary-1" class="mobile-menu"><li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-77773"><a href="https://news.sophos.com/en-us/category/products-services/">Products &amp; Services<div class="menu-item-description"></div></a></li>
<li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-77772"><a href="https://news.sophos.com/en-us/category/security-operations/">Security Operations<div class="menu-item-description"></div></a></li>
<li class="menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor menu-item-77774"><a href="https://news.sophos.com/en-us/category/threat-research/">Threat Research<div class="menu-item-description"></div></a></li>
<li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-77775"><a href="https://ai.sophos.com">AI Research<div class="menu-item-description"></div></a></li>
<li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-77776"><a href="https://nakedsecurity.sophos.com">Security News &#038; Tips<div class="menu-item-description"></div></a></li>
</ul>		</div>
	</div>
</header>

	<div id="content">

	<div id="primary" class="content-area">
		<main id="main" class="site-main" role="main">

		
			
<article id="post-71298" class="post-71298 post type-post status-publish format-standard has-post-thumbnail hentry category-sophoslabs-uncut tag-malware-as-a-service tag-systembc region-en-us">

		<div class="container mt-8 md:mt-16">
		<div class="max-w-5xl mx-auto relative">
				<div
						class="aspect-w-16 aspect-h-9 flex bg-gray-400 bg-right bg-no-repeat bg-cover"
				>
					<img width="943" height="489" src="https://news.sophos.com/wp-content/uploads/2020/12/tv-remote-e1607983796505.jpg?w=943" class="object-cover wp-post-image" alt="" loading="lazy" srcset="https://news.sophos.com/wp-content/uploads/2020/12/tv-remote-e1607983796505.jpg 943w, https://news.sophos.com/wp-content/uploads/2020/12/tv-remote-e1607983796505.jpg?resize=300,156 300w, https://news.sophos.com/wp-content/uploads/2020/12/tv-remote-e1607983796505.jpg?resize=768,398 768w" sizes="(max-width: 943px) 100vw, 943px" />				</div>
								<div
						class="left-8 w-28 h-28 lg:left-12 xl:left-16 lg:w-40 lg:h-40 place-items-center absolute top-0 grid"
				>
					<img
							src="https://news.sophos.com/wp-content/uploads/2021/05/Category-Icon-Threat-Research@2x.min_.png"
							alt="SophosLabs Uncut"
					/>
									</div>
						</div>
	</div>


			
	<header>
		<div class="container mt-8 md:mt-16 md:-mb-4">
			<div class="max-w-4xl mx-auto">

				<h1 class="text-style-h1 mb-8">Ransomware operators use SystemBC RAT as off-the-shelf Tor backdoor</h1>
									<div class="text-xl md:text-2xl -mt-2 mb-6">
						A commodity malware backdoor, SystemBC has evolved into a Tor proxy and remote control tool favored by actors behind the latest high-profile ransomware campaigns.					</div>
				
				<div class="text-xl md:text-xl -mt-2">
					<span class="byline">
		Written by 				<span class="author vcard">
				<a href="https://news.sophos.com/en-us/author/sivagnanam-gn/" title="Posts by Sivagnanam Gn" class="author url fn" rel="author">Sivagnanam Gn</a>,				</span>
										<span class="author vcard">
				<a href="https://news.sophos.com/en-us/author/sean-gallagher/" title="Posts by Sean Gallagher" class="author url fn" rel="author">Sean Gallagher</a>				</span>
								</span>
						</div>

				<div class="text-sophos-gray-600 mt-4 text-xs font-sansSemiBold font-semibold leading-tight uppercase">
					<span class="posted-on"><a href="https://news.sophos.com/en-us/2020/12/16/systembc/" rel="bookmark">December 16, 2020</a></span>				</div>

				<div class="mt-6 space-y-2 space-x-1">
					<a href="https://news.sophos.com/en-us/category/threat-research/sophoslabs-uncut/" class="category-tag-pill">SophosLabs Uncut</a> <a href="https://news.sophos.com/en-us/tag/malware-as-a-service/" class="category-tag-pill">Malware as a service</a> <a href="https://news.sophos.com/en-us/tag/systembc/" class="category-tag-pill">SystemBC</a>				</div>
			</div>
		</div>
	</header><!-- .entry-header -->

	<div class="container md:my-16 xl:my-24 my-8">
	<div class="entry-content lg:prose-lg mx-auto prose max-w-4xl">
		<p>In our investigations into a number of recent ransomware attacks, we&#8217;ve observed sets of tools associated with multiple types of ransomware deployed in much the same way, suggesting their use by one or more ransomware-as-a-service affiliates.  One of those tools is SystemBC, a backdoor that provides attackers with a persistent connection to their victims&#8217; systems.</p>
<p>First seen in 2019, SystemBC is a proxy and remote administrative tool, named by researchers after the string in the URI its control panel used.  It acts both as a network proxy for  concealed communications and as a remote administration tool (RAT)—capable of executing Windows commands, and delivering and executing scripts, malicious executables and dynamic link libraries (DLLs).  After being dropped by other malware, it provides attackers with a persistent backdoor.</p>
<p>While SystemBC has been around for over a year, we&#8217;ve seen both its use and its features continue to evolve. The most recent samples of SystemBC carry code that, instead of acting essentially as a virtual private network via a SOCKS5 proxy, uses the Tor anonymizing network to encrypt and conceal the destination of command and control traffic.</p>
<p>Over the past few months, we have continued to detect hundreds of attempted SystemBC deployments worldwide. SystemBC was used in recent Ryuk and Egregor attacks investigated by Sophos MTR&#8217;s Rapid Response team, often used in combination with post-exploitation tools such as Cobalt Strike. In some cases, the SystemBC RAT was deployed to servers after the attackers have gained administrative credentials and moved deep into the targeted network.</p>
<p><a href="https://news.sophos.com/wp-content/uploads/2020/12/SystemBC.png"><img loading="lazy" class="alignnone size-large wp-image-71526" src="https://news.sophos.com/wp-content/uploads/2020/12/SystemBC.png?w=640" alt="" width="640" height="512" srcset="https://news.sophos.com/wp-content/uploads/2020/12/SystemBC.png 2481w, https://news.sophos.com/wp-content/uploads/2020/12/SystemBC.png?resize=300,240 300w, https://news.sophos.com/wp-content/uploads/2020/12/SystemBC.png?resize=768,615 768w, https://news.sophos.com/wp-content/uploads/2020/12/SystemBC.png?resize=1024,820 1024w, https://news.sophos.com/wp-content/uploads/2020/12/SystemBC.png?resize=1536,1230 1536w, https://news.sophos.com/wp-content/uploads/2020/12/SystemBC.png?resize=2048,1639 2048w" sizes="(max-width: 640px) 100vw, 640px" /></a></p>
<h3>Deployment</h3>
<p>When dropped and executed, SystemBC performs a check to see whether it was launched with a command line &#8220;start&#8221;—indicating it was executed as a scheduled service.  If not, it copies itself to a randomly-named directory and file name within the ProgramData directory, and then schedules that copy as a task (launched with the &#8220;start&#8221; command)  to achieve persistence.<br />
However, if SystemBC finds a running process called a2guard.exe—a component of Emsisoft&#8217;s anti-malware software—it skips the creation of a service. This behavior dates back to the first samples of SystemBC found in 2019.</p>
<figure id="attachment_71376" aria-describedby="caption-attachment-71376" style="width: 640px" class="wp-caption alignnone"><a href="https://news.sophos.com/wp-content/uploads/2020/12/systembc-install.png"><img loading="lazy" class="size-large wp-image-71376" src="https://news.sophos.com/wp-content/uploads/2020/12/systembc-install.png?w=640" alt="" width="640" height="531" srcset="https://news.sophos.com/wp-content/uploads/2020/12/systembc-install.png 714w, https://news.sophos.com/wp-content/uploads/2020/12/systembc-install.png?resize=300,249 300w" sizes="(max-width: 640px) 100vw, 640px" /></a><figcaption id="caption-attachment-71376" class="wp-caption-text">Decompiled code from SystemBC showing the installation logic.</figcaption></figure>
<p>Once SystemBC is launched from its scheduled task, it starts its command and control connections.</p>
<h3>BC phone home</h3>
<p>There are two elements of the CnC: a beacon connection to a remote server at one of two domains hard-coded into the the malware, and a lightweight Tor client.</p>
<p>The non-Tor communications are raw TCP, connecting to port 4044 (typically used by the Location Tracking Protocol) on the remote server. The domains varied from sample to sample—likely configured for a specific campaign at build-time. We observed two domains in use in our primary sample: advertrex20[.]xyz and gentexman37[.]xyz. The first domain no longer resolved at the time of analysis; during analysis, the second domain also became unreachable.</p>
<p>The malware selects one of the hardcoded domains, and sends an initial block of data (100 bytes in this instance), then maintains an open socket, with the connection occasionally being reset.</p>
<figure id="attachment_71380" aria-describedby="caption-attachment-71380" style="width: 640px" class="wp-caption alignnone"><a href="https://news.sophos.com/wp-content/uploads/2020/12/systembc-heartbeat.png"><img loading="lazy" class="wp-image-71380 size-large" src="https://news.sophos.com/wp-content/uploads/2020/12/systembc-heartbeat.png?w=640" alt="PCAP OF SYSTEMBC" width="640" height="191" srcset="https://news.sophos.com/wp-content/uploads/2020/12/systembc-heartbeat.png 1512w, https://news.sophos.com/wp-content/uploads/2020/12/systembc-heartbeat.png?resize=300,90 300w, https://news.sophos.com/wp-content/uploads/2020/12/systembc-heartbeat.png?resize=768,230 768w, https://news.sophos.com/wp-content/uploads/2020/12/systembc-heartbeat.png?resize=1024,306 1024w" sizes="(max-width: 640px) 100vw, 640px" /></a><figcaption id="caption-attachment-71380" class="wp-caption-text">Part of a packet capture of SystemBC&#8217;s initial CnC communications</figcaption></figure>
<figure id="attachment_71379" aria-describedby="caption-attachment-71379" style="width: 587px" class="wp-caption alignnone"><a href="https://news.sophos.com/wp-content/uploads/2020/12/systembc-datablock.png"><img loading="lazy" class="wp-image-71379 size-large" src="https://news.sophos.com/wp-content/uploads/2020/12/systembc-datablock.png?w=587" alt="" width="587" height="346" srcset="https://news.sophos.com/wp-content/uploads/2020/12/systembc-datablock.png 587w, https://news.sophos.com/wp-content/uploads/2020/12/systembc-datablock.png?resize=300,177 300w" sizes="(max-width: 587px) 100vw, 587px" /></a><figcaption id="caption-attachment-71379" class="wp-caption-text">The packet block sending the initial data from SystemBC to the command and control domain.</figcaption></figure>
<p>Most of the CnC communications with the SystemBC RAT are over a Tor connection. The Tor communications element of SystemBC appears to be based on <a href="https://github.com/wbenny/mini-tor/">mini-tor</a>, an open-source library for lightweight connectivity to the Tor anonymized network. The code of mini-Tor isn&#8217;t duplicated in SystemBC (since mini-Tor is written in C++ and SystemBC is compiled from C). But the bot&#8217;s implementation of the Tor client closely resembles the implementation used in the open-source program, including its extensive use of the Windows Crypto Next Gen (CNG) API&#8217;s Base Crypto (BCrypt) functions.</p>
<p><figure id="attachment_71386" aria-describedby="caption-attachment-71386" style="width: 640px" class="wp-caption alignnone"><a href="https://news.sophos.com/wp-content/uploads/2020/12/IDApro_systembc_tor.png"><img loading="lazy" class="size-large wp-image-71386" src="https://news.sophos.com/wp-content/uploads/2020/12/IDApro_systembc_tor.png?w=640" alt="" width="640" height="586" srcset="https://news.sophos.com/wp-content/uploads/2020/12/IDApro_systembc_tor.png 759w, https://news.sophos.com/wp-content/uploads/2020/12/IDApro_systembc_tor.png?resize=300,275 300w" sizes="(max-width: 640px) 100vw, 640px" /></a><figcaption id="caption-attachment-71386" class="wp-caption-text">Some of the Tor client code from the SystemBC executable dumped from memory and disassembled. The IP addresses shown are known Tor gateway hosts, including dannenberg[.]torauth[.]de and tor[.]noreply[.]org</figcaption></figure>When the bot is executed from scheduled task, it  collects the following information and store it in a buffer and sends it to CnC through the Tor connection:</p>
<ul>
<li>The active Windows user name</li>
<li>The Windows build number for the infected system</li>
<li>A WOW process check (whether the OS on the infected system is 32-bit or 64-bit)</li>
<li>The volume serial number.</li>
</ul>
<p>The collected data is rc4 encrypted with a hard-coded key before it is sent it to CnC, using a socket connection handled by the malware&#8217;s mini-tor library and socket APIs.</p>
<figure id="attachment_71382" aria-describedby="caption-attachment-71382" style="width: 640px" class="wp-caption alignnone"><a href="https://news.sophos.com/wp-content/uploads/2020/12/systembc_rat_cnc_sendclientdata.png"><img loading="lazy" class="size-large wp-image-71382" src="https://news.sophos.com/wp-content/uploads/2020/12/systembc_rat_cnc_sendclientdata.png?w=640" alt="" width="640" height="321" srcset="https://news.sophos.com/wp-content/uploads/2020/12/systembc_rat_cnc_sendclientdata.png 900w, https://news.sophos.com/wp-content/uploads/2020/12/systembc_rat_cnc_sendclientdata.png?resize=300,150 300w, https://news.sophos.com/wp-content/uploads/2020/12/systembc_rat_cnc_sendclientdata.png?resize=768,385 768w" sizes="(max-width: 640px) 100vw, 640px" /></a><figcaption id="caption-attachment-71382" class="wp-caption-text">A snippet of decompiled code from SystemBC showing data sent about the targeted system back to the Tor CnC.</figcaption></figure>
<h3>Remote control</h3>
<p>The operators of the bot can use the CnC server to send a number of payloads back to the infected system for execution. SystemBC can parse and execute <span style="font-size: 1em">EXE or DLL data blobs passed over the Tor connection, shell code, VBS </span>scripts, Windows commands and batch scripts, and PowerShell scripts.</p>
<figure id="attachment_71383" aria-describedby="caption-attachment-71383" style="width: 640px" class="wp-caption alignnone"><a href="https://news.sophos.com/wp-content/uploads/2020/12/systembc_rat_data_receive.png"><img loading="lazy" class="size-large wp-image-71383" src="https://news.sophos.com/wp-content/uploads/2020/12/systembc_rat_data_receive.png?w=640" alt="" width="640" height="445" srcset="https://news.sophos.com/wp-content/uploads/2020/12/systembc_rat_data_receive.png 862w, https://news.sophos.com/wp-content/uploads/2020/12/systembc_rat_data_receive.png?resize=300,208 300w, https://news.sophos.com/wp-content/uploads/2020/12/systembc_rat_data_receive.png?resize=768,534 768w" sizes="(max-width: 640px) 100vw, 640px" /></a><figcaption id="caption-attachment-71383" class="wp-caption-text">A chunk of the decompiled code from SystemBC showing types of data it expects from the CnC.</figcaption></figure>
<p>For VBS, BAT and CMD commands, the bot creates a randomly named file in the  %TEMP% directory and create a scheduled task for the script. For Powershell commands, it creates a scheduled task for the script and adds the following command line to make it hidden:</p>
<pre>'-WindowStyle Hidden -ep bypass -file "'</pre>
<p>If the data received is not parsed as a script, it checks for an MZ header in the data to check if it is a Windows executable. If it is, SystemBC loads it directly for execution without writing a file. If the data received from the CnC doesn&#8217;t have any MZ signature, the bot assumes it is shellcode and spawns a thread to execute it. And If it is determined to be DLL binary data, SystemBC will load the dll using <strong>execute_pe_from_mem_thread </strong>and call its export function using <strong>call_dll_export_function_thread</strong>.</p>
<p><a href="https://news.sophos.com/wp-content/uploads/2020/12/SystemBC-MITRE-ATTACK.png"><img loading="lazy" class="alignnone size-large wp-image-71527" src="https://news.sophos.com/wp-content/uploads/2020/12/SystemBC-MITRE-ATTACK.png?w=640" alt="" width="640" height="360" srcset="https://news.sophos.com/wp-content/uploads/2020/12/SystemBC-MITRE-ATTACK.png 960w, https://news.sophos.com/wp-content/uploads/2020/12/SystemBC-MITRE-ATTACK.png?resize=300,169 300w, https://news.sophos.com/wp-content/uploads/2020/12/SystemBC-MITRE-ATTACK.png?resize=768,432 768w" sizes="(max-width: 640px) 100vw, 640px" /></a></p>
<h3>From spray and pray to sniping</h3>
<p>Collectively, these capabilities give attackers a point-and-shoot capability to perform discovery, exfiltration and lateral movement with packaged scripts and executables—without having to have hands on keyboard.  These capabilities were originally intended for mass exploitation, but they have now been folded into the toolkit for targeted attacks—including ransomware.</p>
<p>In a <a href="https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/">September Ryuk attack</a>, SystemBC was deployed on the target network&#8217;s domain controller—apparently deployed by CobaltStrike. And in November, we saw SystemBC in association with <a href="https://news.sophos.com/en-us/2020/12/08/egregor-ransomware-mazes-heir-apparent/">an Egregor attack</a>—again associated with Cobalt Strike (though it is not clear which dropped which).</p>
<p>In these cases, SystemBC was deployed as one of several commodity tools to establish persistence across the targeted network. In the Ryuk attacks we saw with SystemBC, initial compromise came from phishing messages that delivered the Buer Loader malware; other attacks in the same campaign used Bazar or Zloader. The Egregor attacks we saw used another loader dropped by malicious emails—Qbot.</p>
<p>All of these attacks appear to have been launched by affiliates of the ransomware operators, or by the ransomware gangs themselves through multiple malware-as-a-service providers. They involved days or weeks of time on the targets&#8217; networks and data exfiltration. SystemBC is an attractive tool in these types of operations because it allows for multiple targets to be worked at the same time with automated tasks, allowing for hands-off deployment of ransomware using Windows built-in tools if the attackers gain the proper credentials.</p>
<p>Fortunately, SystemBC is detected by many anti-malware tools, including Sophos (via both signature and machine learning). Attackers continue to use SystemBC situationally with success because they leverage inconsistent malware protection across organizations or leverage legitimate credentials to disable some malware protection.</p>
<p>A list of IOCs for SystemBC is <a href="https://github.com/sophoslabs/IoCs/blob/master/Malware-SystemBC.csv">posted on SophosLabs&#8217; GitHub page</a>.</p>
<h4>Sophos would like to acknowledge the contributions of Anand Aijan and Syraj Mundalik of SophosLabs, and of Peter Mackenzie,Elida Leite, Syed Shahram and Bill Kearney of the Sophos MTR Rapid Response team to this report.</h4>
			</div>
	<div class="mt-12">
		
<ul
	id="social-sharing"
	class="flex justify-center items-center space-x-6"
>
	<li class="facebook">
		<a
			class="js-share-modal"
			href="http://www.facebook.com/share.php?u=https://news.sophos.com/?p=71298&#038;title=Ransomware%20operators%20use%20SystemBC%20RAT%20as%20off-the-shelf%20Tor%20backdoor"
			data-title="Ransomware operators use SystemBC RAT as off-the-shelf Tor backdoor"
			title="Share on Facebook">
				<span class="sr-only">Share on Facebook</span>
				<svg
					width="8"
					height="16"
					xmlns="http://www.w3.org/2000/svg"
					class="text-sophos-gray-600 hover:text-black"
					fill="currentColor"
				>
					<path d="M7.145 8.006H4.903V16H1.581V8.006H0V5.182h1.581V3.354C1.581 2.045 2.202 0 4.933 0l2.461.01v2.742H5.608c-.291 0-.705.145-.705.77v1.66h2.533l-.291 2.824z" fill-rule="nonzero"/>
				</svg>
		</a>
	</li>
	<li class="twitter">
		<a
			class="js-share-modal"
			href="http://twitter.com/intent/tweet?text=Ransomware%20operators%20use%20SystemBC%20RAT%20as%20off-the-shelf%20Tor%20backdoor%20https%3A%2F%2Fnews.sophos.com%2F%3Fp%3D71298"
			data-title=""
			title="Share on Twitter">
				<span class="sr-only">Share on Twitter</span>
				<svg
					width="14"
					height="13"
					xmlns="http://www.w3.org/2000/svg"
					class="text-sophos-gray-600 hover:text-black"
					fill="currentColor"
				>
					<path d="M12.567 3.238c.007.141.01.281.01.424 0 4.338-2.89 9.34-8.173 9.34-1.623 0-3.132-.543-4.403-1.475.225.03.453.045.685.045 1.346 0 2.584-.523 3.566-1.404-1.255-.028-2.317-.977-2.682-2.28a2.56 2.56 0 001.296-.056C1.554 7.53.562 6.203.562 4.613v-.04c.389.245.83.392 1.302.41C1.094 4.393.587 3.387.587 2.25c0-.602.142-1.166.388-1.65 1.416 1.986 3.534 3.292 5.92 3.43a3.735 3.735 0 01-.074-.749c0-1.813 1.286-3.28 2.873-3.28.825 0 1.572.397 2.096 1.034a5.324 5.324 0 001.824-.797c-.215.768-.67 1.41-1.263 1.816a5.178 5.178 0 001.65-.515 6.362 6.362 0 01-1.434 1.7" fill-rule="nonzero"/>
				</svg>
		</a>
	</li>
	<li class="linkedin">
		<a
			href="http://www.linkedin.com/shareArticle?mini=true&url=https://news.sophos.com/en-us/2020/12/16/systembc/"
			data-title="Ransomware operators use SystemBC RAT as off-the-shelf Tor backdoor"
			title="Share on LinkedIn"
			onclick="window.open(this.href, '', 'left=20,top=20,width=500,height=500,toolbar=1,resizable=0'); return false;">
			<span class="sr-only">Share on LinkedIn</span>
			<svg
				width="16"
				height="16"
				xmlns="http://www.w3.org/2000/svg"
				class="text-sophos-gray-600 hover:text-black"
				fill="currentColor"
			>
				<path d="M16 15.293h-3.43v-5.52c0-1.386-.496-2.334-1.738-2.334-.946 0-1.512.64-1.76 1.256-.09.22-.113.526-.113.836v5.762H5.53s.044-9.35 0-10.316h3.43v1.46c.456-.705 1.27-1.703 3.091-1.703 2.256 0 3.95 1.473 3.95 4.643v5.916zM1.917 3.566h-.022C.745 3.566 0 2.773 0 1.783 0 .772.768 0 1.94 0c1.173 0 1.896.772 1.917 1.783 0 .99-.744 1.783-1.94 1.783zM.202 15.293h3.431V4.977H.203v10.316z" fill-rule="nonzero"/>
			</svg>
		</a>
	</li>
	<li class="comments">
		<a
			href="#comments"
			title="Leave a Reply"
			class="flex items-center space-x-1"
		>
			<svg
				width="16"
				height="16"
				xmlns="http://www.w3.org/2000/svg"
				class="text-sophos-gray-600 hover:text-black"
				fill="currentColor"
			>
				<path d="M8.5 0a7.5 7.5 0 11-3.916 13.898C3.317 15.273 1.773 15.36.256 15.135c1.011-1.185 1.678-2.357 2-3.517l-.007.027A7.5 7.5 0 018.5 0z" fill-rule="evenodd"/>
			</svg>
					</a>
	</li>
</ul>

			</div><!-- .entry-social -->
	</div>

</article><!-- #post-## -->

			<div class="container my-8 md:my-16">
				<div class="max-w-4xl mx-auto">
					<div class="article-author-block article-co-authors-block">
	
					<div class="author-block">
				<div class="author-block__profile">
					<img width="299" height="400" src="https://news.sophos.com/wp-content/uploads/2020/12/Siva.jpg?w=299" class="avatar avatar-400 photo wp-post-image" alt="" />				</div> <!-- .author-profile -->

				<div class="author-block__wrapper">
					<div class="author-block__content">

													<div class="author-block__about">
								About the Author							</div>
						
						<h3 class="author-block__name">
						<a href="https://news.sophos.com/en-us/author/sivagnanam-gn/" title="Posts by Sivagnanam Gn" class="author url fn" rel="author">Sivagnanam Gn</a>						</h3>

						
							<div class="author-block__bio">
								<p>Sivagnanam is a Threat Researcher at SophosLabs. He is working on analyzing malware behaviour and detecting them. He is interested in reverse engineering and CnC protocol emulation of botnets. He has been a Malware Researcher for 14 years.</p>
							</div> <!-- .author-bio -->

					</div>
				</div>

			</div> <!-- .author-block-container -->
					<div class="author-block">
				<div class="author-block__profile">
					<img width="400" height="400" src="https://news.sophos.com/wp-content/uploads/2020/02/sean-gallagher.jpg?w=400" class="avatar avatar-400 photo wp-post-image" alt="Sean Gallagher" />				</div> <!-- .author-profile -->

				<div class="author-block__wrapper">
					<div class="author-block__content">

													<div class="author-block__about">
								About the Author							</div>
						
						<h3 class="author-block__name">
						<a href="https://news.sophos.com/en-us/author/sean-gallagher/" title="Posts by Sean Gallagher" class="author url fn" rel="author">Sean Gallagher</a>						</h3>

						
							<div class="author-block__bio">
								<p>Sean Gallagher is a Senior Threat Researcher at Sophos. </p>
<p>Previously, Gallagher was IT and National Security Editor at Ars Technica, where he focused on information security and digital privacy issues, cybercrime, cyber espionage and cyber warfare. He has been a security researcher, technology journalist and information technology practitioner for over 20 years.</p>
							</div> <!-- .author-bio -->

					</div>
				</div>

			</div> <!-- .author-block-container -->
		
		</div>
				</div>
			</div>

			
<div class="pb-24 bg-white">
<div class="container">
<div class="max-w-5xl mx-auto">

			
			<h3 class="text-style-h2 md:my-8 my-4">
				Read Similar Articles			</h3>

			<div class="article-grid article-grid--3-column">
				<!-- Article -->
<article
	id="post-71173"
	class="hover:shadow-lg dark:bg-sophos-gray-900 border-sophos-gray-200 flex flex-col overflow-hidden text-gray-700 transition-all bg-white border rounded-md shadow-md post-71173 post type-post status-publish format-standard has-post-thumbnail hentry category-sophoslabs-uncut category-threat-research tag-cobalt-strike tag-egregor tag-qakbot tag-qbot tag-ransomware tag-systembc region-en-us">
	<!-- Image -->
	<a
		class="aspect-w-16 aspect-h-9 flex block bg-gray-400 bg-right bg-no-repeat bg-cover"
		href="https://news.sophos.com/en-us/2020/12/08/egregor-ransomware-mazes-heir-apparent/"
		rel="bookmark"
		style="
			background-image: url('https://news.sophos.com/wp-content/uploads/2020/12/egregor.png?w=640');
		"
	></a>

	<!-- Wrapper -->
	<div class="flex flex-col justify-between flex-grow">

		<!-- Content -->
		<div class="sm:px-8 sm:py-8 p-4 py-6">
			<!-- Date -->
			<div
				class="text-sophos-blue-600 font-sansMedium mb-2 text-xs leading-tight uppercase truncate"
			>
				December 08, 2020			</div>
			<!-- Post Title -->
				<h2 class="text-style-h2 line-clamp-3 sm:mb-4 sm:text-2xl sm:leading-snug text-lg leading-tight text-gray-700"><a href="https://news.sophos.com/en-us/2020/12/08/egregor-ransomware-mazes-heir-apparent/" rel="bookmark" class="dark:text-white font-sansSemiBold font-semibold text-gray-900 no-underline cursor-pointer">Egregor ransomware: Maze’s heir apparent</a></h2>			<!-- Excerpt -->
						</div>

			</div>
</article>
<!-- Article -->
<article
	id="post-69868"
	class="hover:shadow-lg dark:bg-sophos-gray-900 border-sophos-gray-200 flex flex-col overflow-hidden text-gray-700 transition-all bg-white border rounded-md shadow-md post-69868 post type-post status-publish format-standard has-post-thumbnail hentry category-sophoslabs-uncut tag-buer-loader tag-phishing tag-ransomware tag-ryuk-ransomware tag-spearphishing tag-systembc region-en-us">
	<!-- Image -->
	<a
		class="aspect-w-16 aspect-h-9 flex block bg-gray-400 bg-right bg-no-repeat bg-cover"
		href="https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/"
		rel="bookmark"
		style="
			background-image: url('https://news.sophos.com/wp-content/uploads/2020/10/ryuk_cover.jpg?w=640');
		"
	></a>

	<!-- Wrapper -->
	<div class="flex flex-col justify-between flex-grow">

		<!-- Content -->
		<div class="sm:px-8 sm:py-8 p-4 py-6">
			<!-- Date -->
			<div
				class="text-sophos-blue-600 font-sansMedium mb-2 text-xs leading-tight uppercase truncate"
			>
				October 14, 2020			</div>
			<!-- Post Title -->
				<h2 class="text-style-h2 line-clamp-3 sm:mb-4 sm:text-2xl sm:leading-snug text-lg leading-tight text-gray-700"><a href="https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/" rel="bookmark" class="dark:text-white font-sansSemiBold font-semibold text-gray-900 no-underline cursor-pointer">They&#8217;re back: inside a new Ryuk ransomware attack</a></h2>			<!-- Excerpt -->
						</div>

			</div>
</article>
<!-- Article -->
<article
	id="post-67415"
	class="hover:shadow-lg dark:bg-sophos-gray-900 border-sophos-gray-200 flex flex-col overflow-hidden text-gray-700 transition-all bg-white border rounded-md shadow-md post-67415 post type-post status-publish format-standard has-post-thumbnail hentry category-sophoslabs-uncut tag-cloudeye tag-darkeye tag-darkeye-protector tag-maas tag-malware-as-as-service tag-nsis tag-raas tag-rat tag-rat-as-as-service tag-raticate tag-trojan region-en-us">
	<!-- Image -->
	<a
		class="aspect-w-16 aspect-h-9 flex block bg-gray-400 bg-right bg-no-repeat bg-cover"
		href="https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/"
		rel="bookmark"
		style="
			background-image: url('https://news.sophos.com/wp-content/uploads/2020/06/ratsnest.jpg?w=640');
		"
	></a>

	<!-- Wrapper -->
	<div class="flex flex-col justify-between flex-grow">

		<!-- Content -->
		<div class="sm:px-8 sm:py-8 p-4 py-6">
			<!-- Date -->
			<div
				class="text-sophos-blue-600 font-sansMedium mb-2 text-xs leading-tight uppercase truncate"
			>
				July 14, 2020			</div>
			<!-- Post Title -->
				<h2 class="text-style-h2 line-clamp-3 sm:mb-4 sm:text-2xl sm:leading-snug text-lg leading-tight text-gray-700"><a href="https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/" rel="bookmark" class="dark:text-white font-sansSemiBold font-semibold text-gray-900 no-underline cursor-pointer">RATicate upgrades &#8220;RATs as a Service&#8221; attacks with commercial &#8220;crypter&#8221;</a></h2>			<!-- Excerpt -->
						</div>

			</div>
</article>
			</div>

	
</div>
</div>
</div> <!-- #secondary -->

			
<div class="bg-sophos-gray-50 px-4 pt-16 pb-8" id="comments">

	
	
	<div class="container max-w-2xl py-6 md:py-16">
			<div id="respond" class="comment-respond">
		<h3 id="reply-title" class="comment-reply-title">Leave a Reply <small><a rel="nofollow" id="cancel-comment-reply-link" href="/en-us/2020/12/16/systembc/#respond" style="display:none;">Cancel reply</a></small></h3><form action="https://news.sophos.com/wp-comments-post.php" method="post" id="commentform" class="comment-form" novalidate><p class="comment-notes"><span id="email-notes">Your email address will not be published.</span></p><p class="comment-form-comment"><label for="comment">Comment</label> <textarea id="comment" name="comment" cols="45" rows="8" maxlength="65525" required="required"></textarea></p><p class="comment-form-author"><label for="author">Name</label> <input id="author" name="author" type="text" value="" size="30" maxlength="245" /></p>
<p class="comment-form-email"><label for="email">Email</label> <input id="email" name="email" type="email" value="" size="30" maxlength="100" aria-describedby="email-notes" /></p>
<p class="comment-form-url"><label for="url">Website</label> <input id="url" name="url" type="url" value="" size="30" maxlength="200" /></p>
<p class="comment-form-cookies-consent"><input id="wp-comment-cookies-consent" name="wp-comment-cookies-consent" type="checkbox" value="yes" /> <label for="wp-comment-cookies-consent">Save my name, email, and website in this browser for the next time I comment.</label></p>
<input type="hidden" name="redirect_to" value="https://news.sophos.com/en-us/2020/12/16/systembc/" id="redirect_to"><p class="form-submit"><input name="submit" type="submit" id="submit" class="submit" value="Post Comment" /> <input type='hidden' name='comment_post_ID' value='71298' id='comment_post_ID' />
<input type='hidden' name='comment_parent' id='comment_parent' value='0' />
</p><p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="6adefce209" /></p><p style="display: none !important;"><label>&#916;<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js" name="ak_js" value="159"/><script>document.getElementById( "ak_js" ).setAttribute( "value", ( new Date() ).getTime() );</script></p></form>	</div><!-- #respond -->
		</div>

</div><!-- #comments -->
</div><!-- #comments -->

		
		</main><!-- #main -->
	</div><!-- #primary -->


	</div> <!-- #content -->

	

<div class="bg-sophos-gray-50 px-4 md:py-16" x-data="subscribeForm()">
	<div class="container max-w-2xl" x-show="!subscribed">
	<div class="text-style-h2-lg">
		Subscribe to get the latest updates in your inbox.	</div>
	<form action="">
		<div class="flex flex-col my-6">
		<input
			type="text"
			placeholder="name@email.com"
			class="w-full"
			x-model="email"
			x-on:keydown="resetErrors()"
			required
		/>
		<div
			x-cloak
			x-show="message"
			x-text="message"
			class="bg-black border mt-2 px-4 py-3 rounded-md text-white text-sm font-sansMedium font-medium"
		></div>
		</div>
		<div class="mb-4 text-lg">
			Which categories are you interested in?		</div>
		<div class="my-2 space-y-1">
		<template
			x-for="category in Object.entries(categories)"
			:key="category[0]"
		>
			<div>
			<label
				x-bind:for="category[1].value"
				class="inline-flex items-center"
			>
				<input
				type="checkbox"
				x-bind:value="category[1].value"
				x-bind:id="category[1].value"
				x-bind:name="category[1].value"
				x-model="subscribeTo"
				/>
				<span
				class="ml-2 text-style-form-label"
				x-text="category[1].name"
				>
				</span>
			</label>
			</div>
		</template>
		</div>
		<div class="mt-6">
		<input
			type="submit"
			class="round-button round-button--primary"
			@click.prevent="submit()"
			x-bind:value="buttonText()"
			x-bind:class="{ 'opacity-30 cursor-not-allowed': buttonDisabled() }"
			x-bind:disabled="buttonDisabled()"
		/>
		</div>
	</form>
	</div>

	<div class="container max-w-2xl" x-cloak x-show="subscribed && !loading">
	<div class="text-style-h2 md:text-3xl mb-4 text-2xl text-center">
		You’re now subscribed!	</div>
	<div
		class="text-lg text-center"
		x-text="`Check your email to confirm your subscription.`"
	></div>
	</div>
</div>

<script>
	let subscribeForm = function () {
	return {
		config: {
		endpoints: {
			signup:
			"https://sophos-mailchimp-signup.netlify.app/.netlify/functions/newsletter-signup",
		},
		},
		subscribed: false,
		loading: false,
		error: false,
		message: "",
		categories: {
		1: {
			name: decodeURIComponent( 'Products%20and%20Services' ),
			value: "products-services",
		},
		2: {
			name: decodeURIComponent( 'Threat%20Research' ),
			value: "threat-research",
		},
		3: {
			name: decodeURIComponent( 'Security%20Operations' ),
			value: "security-operations",
		},
		},
		subscribeTo: [],
		email: "",

		reset() {
		this.loading = false;
		if (!this.error) {
			this.email = "";
		}
		},

		resetErrors() {
		this.error = false;
		this.message = "";
		},

		setError(message) {
		this.error = true;
		this.message = message;
		},

		setSuccess(message) {
		this.error = false;
		this.message = message;
		},

		emailIsValid(email) {
		return /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email);
		},

		submit() {
		this.loading = true;
		this.resetErrors();

		const mcList = "8d6471d831";
		const mcLanguage = decodeURIComponent( 'en' );
		const mcTags = [...this.subscribeTo, mcLanguage];

		const payload = {
			email: this.email,
			listId: mcList,
			tags: mcTags,
			language: mcLanguage,
		};

		fetch(this.config.endpoints.signup, {
			method: "POST",
			headers: {
			"Content-Type": "application/json",
			},
			body: JSON.stringify(payload),
		})
			.then((r) => r.json())
			.then((data) => {
			if (data.status === "pending") {
				this.setSuccess(
					decodeURIComponent( 'You%20have%20been%20subscribed.%20Please%20check%20your%20email%20to%20confirm.' )
				);
				this.subscribed = true;
			} else if (
				data.status === "subscribed"
			) {
				this.setSuccess(
					decodeURIComponent( 'You%20are%20already%20subscribed.%20Thank%20you%21' )
				);
			} else {
				this.setError(
					decodeURIComponent( 'We%20could%20not%20subscribe%20you.%20Please%20try%20again.' )
				);
			}
			})
			.catch((e) => {
			this.setError(
				decodeURIComponent( 'We%20could%20not%20subscribe%20you.%20Please%20try%20again.' )
			);
			})
			.finally(() => {
			this.reset();
			});
		},

		buttonText() {
		return this.loading ? decodeURIComponent( 'Please%20Wait' ) : decodeURIComponent( 'Subscribe' );
		},

		buttonDisabled() {
		return (
			this.subscribeTo.length < 1 ||
			!this.emailIsValid(this.email) ||
			this.loading
		);
		},
	};
	};
</script>


	<footer
		class="bg-white border-t border-sophos-gray-200 "
		x-data="{ languageMenu: false, privacyMenu: false, legalMenu: false }"
	>
		<div class="container">
			<div class="md:flex-row md:items-center flex flex-col justify-between py-8">
				<div class="flex items-baseline flex-grow space-x-6">
					<!-- Language -->
					
<div class="relative mr-auto">
	<a
		href="#"
		class="whitespace-nowrap font-sansMedium text-sophos-gray-600 inline-block text-xs font-medium leading-tight"
		@click.prevent="languageMenu = !languageMenu"
		@click.away="languageMenu = false"
	>
		Change Region		<svg
			xmlns="http://www.w3.org/2000/svg"
			width="8"
			height="4"
			class="inline-block transition-transform transform"
			:class="{'rotate-180': languageMenu }"
		>
			<path
				fill="#7F8C9D"
				fill-rule="evenodd"
				d="M4 2.178L5.915.262a.708.708 0 01.996 0 .702.702 0 010 .995L4.75 3.415A.7.7 0 014 3.94a.702.702 0 01-.751-.524l-2.16-2.158a.702.702 0 11.996-.995L4 2.178z"
			/>
		</svg>
	</a>

	<!-- Language Menu -->
	<div
		class="focus:outline-none border-sophos-gray-200 absolute bottom-0 left-0 w-48 px-4 py-1 py-4 mb-8 -ml-4 origin-bottom-left bg-white border rounded-md shadow-md"
		role="menu"
		aria-orientation="vertical"
		aria-labelledby="user-menu"
		x-show="languageMenu"
		x-cloak
		x-transition:enter="transition-all ease-out duration-100"
		x-transition:enter-start="transform opacity-0 scale-95"
		x-transition:enter-end="transform opacity-100 scale-100"
		x-transition:leave="transition ease-in duration-75"
		x-transition:leave-start="transform opacity-100 scale-100"
		x-transition:leave-end="transform opacity-0 scale-95"
	>
		<ul
			class="font-sansMedium text-sophos-gray-600 space-y-1 text-xs font-medium"
		>
											<li>
					<a href="https://news.sophos.com/es-419">
						América Latina					</a>
				</li>
															<li>
					<a href="https://news.sophos.com/pt-br">
						Brasil					</a>
				</li>
											<li>
					<a href="https://news.sophos.com/de-de">
						Deutschland					</a>
				</li>
											<li>
					<a href="https://news.sophos.com/en-us">
						English					</a>
				</li>
											<li>
					<a href="https://news.sophos.com/fr-fr">
						France					</a>
				</li>
											<li>
					<a href="https://news.sophos.com/es-es">
						Iberia					</a>
				</li>
											<li>
					<a href="https://news.sophos.com/it-it">
						Italia					</a>
				</li>
											<li>
					<a href="https://news.sophos.com/ja-jp">
						Japan					</a>
				</li>
									</ul>
	</div>
</div>

					<!-- Terms -->
					<a
						href="https://www.sophos.com/en-us/legal/sophos-website.aspx"
						class="whitespace-nowrap font-sansMedium text-sophos-gray-600 inline-block ml-auto text-xs font-medium leading-tight"
						>Terms</a
					>

					<!-- Privacy -->
					
<span class="relative">
	<a
		href="#"
		class="whitespace-nowrap font-sansMedium text-sophos-gray-600 inline-block text-xs font-medium leading-tight"
		@click.prevent="privacyMenu = !privacyMenu"
		@click.away="privacyMenu = false"
	>
		Privacy
		<svg
			xmlns="http://www.w3.org/2000/svg"
			width="8"
			height="4"
			class="inline-block transition-transform transform"
			:class="{'rotate-180': privacyMenu }"
		>
			<path
				fill="#7F8C9D"
				fill-rule="evenodd"
				d="M4 2.178L5.915.262a.708.708 0 01.996 0 .702.702 0 010 .995L4.75 3.415A.7.7 0 014 3.94a.702.702 0 01-.751-.524l-2.16-2.158a.702.702 0 11.996-.995L4 2.178z"
			/>
		</svg>
	</a>
	<div
		class="focus:outline-none border-sophos-gray-200 absolute bottom-0 left-0 w-48 px-4 py-1 py-4 mb-8 -ml-4 origin-bottom-left bg-white border rounded-md shadow-md"
		role="menu"
		aria-orientation="vertical"
		aria-labelledby="user-menu"
		x-show="privacyMenu"
		x-cloak
		x-transition:enter="transition-all ease-out duration-100"
		x-transition:enter-start="transform opacity-0 scale-95"
		x-transition:enter-end="transform opacity-100 scale-100"
		x-transition:leave="transition ease-in duration-75"
		x-transition:leave-start="transform opacity-100 scale-100"
		x-transition:leave-end="transform opacity-0 scale-95"
	>
		<ul
			class="font-sansMedium text-sophos-gray-600 space-y-1 text-xs font-medium"
		>
			<li>
				<a
					href="https://www.sophos.com/en-us/legal/sophos-group-privacy-policy.aspx"
				>
					Privacy Notice				</a>
			</li>
			<li>
				<a
					href="https://www.sophos.com/en-us/legal/cookie-information.aspx"
				>
					Cookies				</a>
			</li>
		</ul>
	</div>
</span>

					<!-- Legal -->
					
<span class="relative">
	<a
		href="#"
		class="whitespace-nowrap font-sansMedium text-sophos-gray-600 inline-block text-xs font-medium leading-tight"
		@click.prevent="legalMenu = !legalMenu"
		@click.away="legalMenu = false"
	>
		Legal
		<svg
			xmlns="http://www.w3.org/2000/svg"
			width="8"
			height="4"
			class="inline-block transition-transform transform"
			:class="{'rotate-180': legalMenu }"
		>
			<path
				fill="#7F8C9D"
				fill-rule="evenodd"
				d="M4 2.178L5.915.262a.708.708 0 01.996 0 .702.702 0 010 .995L4.75 3.415A.7.7 0 014 3.94a.702.702 0 01-.751-.524l-2.16-2.158a.702.702 0 11.996-.995L4 2.178z"
			/>
		</svg>
	</a>
	<div
		class="focus:outline-none border-sophos-gray-200 absolute bottom-0 left-0 w-48 px-4 py-1 py-4 mb-8 -ml-4 origin-bottom-left bg-white border rounded-md shadow-md"
		role="menu"
		aria-orientation="vertical"
		aria-labelledby="user-menu"
		x-show="legalMenu"
		x-cloak
		x-transition:enter="transition-all ease-out duration-100"
		x-transition:enter-start="transform opacity-0 scale-95"
		x-transition:enter-end="transform opacity-100 scale-100"
		x-transition:leave="transition ease-in duration-75"
		x-transition:leave-start="transform opacity-100 scale-100"
		x-transition:leave-end="transform opacity-0 scale-95"
	>
		<ul
			class="font-sansMedium text-sophos-gray-600 space-y-1 text-xs font-medium"
		>
			<li>
				<a
					href="https://www.sophos.com/en-us/legal.aspx"
				>
					General				</a>
			</li>
			<li>
				<a
					href="https://www.sophos.com/en-us/legal/modern-slavery-act-transparency-statement.aspx"
				>
					Modern Slavery Statement				</a>
			</li>
			<li>
				<a
					href="https://secure.ethicspoint.eu/domain/media/en/gui/104916/index.html"
				>
					Speak Out				</a>
			</li>
		</ul>
	</div>
</span>

					<!-- Copyright -->
					<div class="md:ml-6 mt-2 md:mt-0">
						<span
							class="whitespace-nowrap font-sansMedium text-sophos-gray-600 inline-block text-xs font-medium leading-tight"
						>
							&copy; 1997 - 2021 Sophos Ltd. All rights reserved						</span>
					</div>
				</div>
			</div>
			</div>
		</div>
	</footer>
	<script id='sophos-js-core-js-extra'>
var PG8Data = {"startPage":"1","maxPages":"1","nextLink":""};
</script>
<script type="text/javascript" src="https://news.sophos.com/_static/??-eJyVjFEOwiAQBS8kLGDU9sN4FkI2LSgLYVfr8cX0AiV5X5OZB1tVoZAgCciKGRm41LUw4cbKGXuDxH1dKs+I6uO007YDvQOd+ASHPkJpAzZ+pXk+7u9IvyW+xqvgc/VxoeGw+iaEbbhb/HDyZz165Lu9nqfZmOkypx+gu6BJ" ></script><script src='https://cdn.jsdelivr.net/gh/alpinejs/alpine@v2.8.1/dist/alpine.min.js?ver=2.0.1' id='alpine-js-js'></script>
<script type="text/javascript" src="https://news.sophos.com/_static/??/wp-includes/js/comment-reply.min.js,/wp-includes/js/wp-embed.min.js?m=1639688214j" ></script><script src='https://stats.wp.com/e-202151.js' defer></script>
<script>
	_stq = window._stq || [];
	_stq.push([ 'view', {v:'ext',j:'1:10.4',blog:'166161023',post:'71298',tz:'-5',srv:'news.sophos.com'} ]);
	_stq.push([ 'clickTrackerInit', '166161023', '71298' ]);
</script>
</body>
</html>
